Password (Built-in) Authentication

Password authentication is the default authentication provider used by RStudio Connect. It uses local user accounts backed by the RStudio Connect database and is not integrated with any external, third-party authentication services.

Users will be able to create accounts when they first visit the system and will provide profile details, like username, name and email, at that time. An administrator will also be able to create new accounts. The first user that logs in automatically becomes an administrator.

RStudio Connect will use password authentication if the Authentication.Provider setting has a value of password or if Provider is not present in the configuration file.

; /etc/rstudio-connect/rstudio-connect.gcfg
[Authentication]
Provider = password

Groups

Groups are supported when using Password authentication. They can be managed manually in the Connect dashboard or via the Connect Server API.

Limitations to Remember

Using password authentication makes it easy to get RStudio Connect up and running quickly but is really only appropriate when using RStudio Connect in one of these situations:

  • A demonstration or proof-of-concept in which RStudio Connect is being evaluated or explored.

  • Training users to use RStudio Connect.

  • Using RStudio Connect to do some small-scale testing.

  • A small group of users without, or isolated from, a centralized IT system.

Security Considerations

So far as it goes, the password authentication provider follows proper security policies but there are limitations to be aware of.

Acceptable Passwords

Passwords must be at least 6 characters long. Use the Password.MinimumScore configuration option to set a minimum complexity score for new passwords. The minimum score must be a number between 0 (the default) and 4. Any other value will prevent the RStudio Connect server from starting. A value of 0 will allow for any password, so long as the length requirement is met. A value of 1 will disallow the most obvious bad passwords, such as password, dates, the user's email and so on. The higher the value, the more complex, and therefore secure, new passwords must be.

Note: Making the minimum score higher will not affect existing passwords; it will only affect new ones, either for new users or when a user changes his password.

We use the zxcvbn password measurement library. It is an industry de facto standard for determining the strength of a password. It derives a score for a password's complexity, also called entropy, and accounts for "nearby" data such as username, email, etc. which results in a number from 1-4. For most security profiles, a value of only 1 or 2 is sufficient.

The zxcvbn algorithm came from Dropbox, who wrote an article that describes the approach.

Exceptions

It is important to remember that there are several additional security policies that the password authentication provider does not support. For example, the provider does not:

  • provide for password expiration,
  • provide automatic user lockout on multiple login failures,
  • enforce any specific limits on classes of characters.

Note that although no specific classes of characters can be specified as required (i.e., passwords must contain upper/lower case letters, digits, symbols, etc.), the more combinations of character types that are present in a password, the higher its score will be. So, requiring a higher minimum score will inherently require more variety in character types.

If your security needs require more fully fledged authentication capabilities, you will need to use an alternate authentication provider such as PAM, OAuth2, LDAP, SAML or Proxied authentication.

Support for Administrators

Administrators can create accounts directly in the RStudio Connect dashboard. Similar to to when users sign up for a new account, a confirmation email will be sent to the user.

In the case the user does not receive the confirmation email, the administrator can visit the user profile page under the "People" tab and resend this email. For existing users, the administrator can also send a password reset email from the same location.

Without Email Sending

Using password authentication without configuring email sending imposes limited functionality and reduced security. Because we cannot rely on emails for new user account confirmations and password reset requests the alternative is trusting on a RStudio Connect administrator to be a intermediary in these operations.

When a new account is created, an administrator should visit the user profile page under the "People" tab and obtain a link to the account confirmation page. It's easy to copy that link to the clipboard.

Note: The administrator must not visit the obtained link. The link should be passed along to the user that will confirm the account and possibly set a password. Administrators should have no knowledge of the users' passwords.

When an existing user needs the password to be reset, the user should ask the administrator for a password reset link. As above, this link can be easily obtained from the user profile page under the "People" tab.

Note: The administrator must not visit the obtained link. The link should be passed along to the user that will confirm the account and possibly set a password. Administrators should have no knowledge of the users' passwords.